Exploit Code on Trial

Exploit Code on Trial
Kevin Poulsen, SecurityFocus 2003-11-23

Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any public disclosure is made. But there was pronounced disagreement on the question of whether or not researchers should publicly release proof-of-concept code to demonstrate a vulnerability.

Expand all | Post comment

Exploit Code on Trial 2003-11-24
Anonymous

Screw the vendors 2003-11-24
Anonymous (2 replies)

Screw the vendors 2003-11-25
Rodrigo Otaviano <rodrigo (at) otaviano (dot) com [email concealed]>

Screw the vendors? Screw the users at the same time. 2003-12-02
Alun Jones

Exploit Code on Trial 2003-11-24
Bob Radvanovsky

Exploit Code on Trial 2003-11-24
Anonymous

Exploit Code on Trial 2003-11-24
TW

Private first, then public, THEN publish exploit 2003-11-24
Anonymous (1 replies)

Private first, then public, THEN publish exploit 2003-11-25
Anonymous

Exploit Code on Trial 2003-11-25
Leif Ericksen

Exploit Code on Trial - final word 2003-11-25
Anonymous (1 replies)

Exploit Code on Trial - final word 2003-11-25
Anonymous

Exploit Code on Trial 2003-11-25
Camel

Loss of money 2003-11-29
bl0rf

Whether someone releases exploit code is entirely up to them, Microsoft has no business to negotiate.

An interesting thing is that thousands of people and millions of dollars are involved in virus-fighting efforts ( software ) and patch-writing. If people stop disclosing vulnerabilities all of those people and money would be lost ...

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/7511/23945#23945

Exploit Code on Trial 2003-12-02
Anonymous

Good on paper....bad in reality. 2003-12-03
MA